Take your pick of any number of variants of spybot or similar botnet
varieties. They all have had new modules added in the past few
months to look for the Symantec AV vulnerability, along with VNC,
older vulnerabilities in windows, etc etc.
So I would recommend that you look at the out bound traffic tcp
traffic for a known infected host that was scanning your
network. You should be able to look at the information and find some
IP address which is acting as the C&C irc host. Using that
information you should be able to track down and block all of the
hosts that have been compromised so far.
At 12:35 PM 2/17/2007, you wrote:
>I noticed a bunch of hosts on our campus were infected yesterday
>with something
>which caused them to scan for 139,1433 and 2967. Anyone else see that?
>Anyone have any info?
>seems to me the previous round of malware that included 2967 also
>looked for 5900
>so this could be somewhat different?
>_______________________________________________
>unisog mailing list
>unisog at lists.dshield.org>https://lists.sans.org/mailman/listinfo/unisog